Research On The Detection And Classification Techniques Of Obfuscated Malware

With the rapid development of information technology,computers and networks have been incorporated into people's daily work and life,bringing great convenience.However,the existence of malicious software poses a great threat to the security of the user's computer,privacy and the like.In particular,it obfuscates malicious code and uses a variety of obfuscation / packaging techniques to combat anti-virus software.Traditional malware detection methods are increasingly ineffective in detecting new malware samples and malware variants,and detection efficiency is far behind the growth of malware.There is an urgent need for new malware detection techniques.Based on this problem,the major works of this dissertation are as follows.(1)A obfuscated file detection technology based on API call sequence is proposed.The technology firstly solves the problem that the obfuscation anti-disassembly technology used by the malware causes abnormal instruction features,and then extracts the useful feature information from the malware program.Experimental results show that the technique can detect various obfuscation methods(eg,packing,encrypting,and instruction overlapping).(2)A malware detection technology based on combined features is proposed.After determining the file to be an obfuscated file,how to determine the file is a malicious file is a problem to be solved.To this end,a automatic classification system based on machine learning algorithm is designed and implemented.The system constructs combined features combining static features and dynamic features,which can effectively avoid the possibility of feature being bypassed.The experimental results show that the classification accuracy of the detection method is up to 99.8% and the false positive rate is 0.2%.(3)A detection method of obfuscator/packer class used to automatically identify obfuscated malware programs is proposed.Byte-signature-based identification method can not correctly identify the obfuscator/packer type,version,poor adaptability in the case of byte modification.To this end,this method uses a detection method based on the control flow graph signature.Control flow graph modifications are hard to circumvent,and have strong adaptability to revisions and rearrangements of instructions,allowing the signature to detect obfuscators / packers of different versions of the same type.Experimental results show that this method can effectively identify the type of obfuscator/packer without false positives,and the time of signature generation is only 0.5ms.